W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: No More Passwords In The Clear in HTTP!

From: Daniel W. Connolly <connolly@hal.com>
Date: Mon, 09 Jan 1995 16:11:50 -0600
Message-Id: <9501092211.AA11588@ulua.hal.com>
To: Brian Behlendorf <brian@wired.com>
Cc: www-talk@info.cern.ch, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
In message <Pine.BSD.3.91.950109121342.19279d-100000@get.wired.com>, Brian Behl
endorf writes:
>	Brian
>brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/

Yikes! Jinks! I asked for a reference to s-key in my p.s.
Brian replies to other issues, but includes the address of
his home-page.

Dan wastes a little time surfing Brian's home-page, and subconsiously
follows these links...


Which has a handy reference to the S/Key paper from bellcore:

After reading the S/Key paper, I think we should consider it in place
of the simple challenge/response system.

Advantages of S/Key:

	* passwords are _not_ stored on the server side in clear
	* user can securely use the same password at different sites
	* password can be changed without sending it over the net

	* server-side passwd database is not read-only: server must
	update the user's count of logins each time
	* doesn't support the opaque="..." feature of the spyglass proposal

Received on Monday, 9 January 1995 14:23:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:13 UTC